Chapter 8
Audit Sampling:
An Overview and
Application to
Tests of Controls
McGraw-Hill/Irwin
Copyright © 2012 by The McGraw-Hill Companies, Inc. All rights reserved.
LO# 1
Introduction
Auditors need to rely on sampling to some degree
because it’s not always possible to analyze the entire
population:
1. Many control processes require human involvement.
2. Many testing procedures require the auditor to
physically examine an asset.
3. In many cases auditors are required to obtain and
evaluate evidence from third parties.
8-2
LO# 1
and 2
Definitions and Key Concepts
On the following slides we will define:
1. Audit Sampling.
2. Sampling Risk.
3. Confidence Level.
4. Tolerable and Expected Error.
8-3
LO# 1
Audit Sampling
•Here are at least two ways (there are more)
to define Audit Sampling:
•Analysis of part of a population, instead
of the entire population
•Using inferential statistics in an audit
Why is this (not terribly accurate description) phrase “Audit
Sampling” used?
Custom and tradition.
8-4
LO# 2
Sampling Risk
Sampling risk exists whenever inferential statistics
are used. There are two types of sampling risk. We
worry more about Type II risk, as that can cause an
audit failure
Risk of incorrect rejection (Type I) – in a test of internal
controls, it is the risk that the sample indicates the control is not operating
effectively when, in fact, it is operating effectively. In substantive testing, it
is the risk that the sample indicates that the recorded balance is
materially misstated when, in fact, it is not.
Risk of incorrect acceptance (Type II) – in a test of internal
controls, it is the risk that the sample indicates the control is operating
effectively when, in fact, it is not operating effectively. In substantive
testing, it is the risk that the sample indicates the recorded balance is
correct when it is, in fact, materially misstated.
8-5
Determining the “right” sample size in
attribute sampling and substantive sampling
Because sampling risk is always present,
the auditor must decide how much to
expose himself to.
 The auditor would like to avoid any
significant sampling risk, but that would
cost him a huge amount of time and effort

– He’d have to draw huge samples
– He’d lose the benefit of small samples
– Bottom line: this is a cost/benefit decision
LO# 2
Factors to Determine right Sample Size in Attribute
(ACL calls it “Record”) Sampling (compare text
Table 8-5 to ACL GUI)
1.Desired confidence level or risk of incorrect
acceptance
The ACL GUI calls this Confidence
2.Tolerable deviation rate (or tolerable error)
ACL calls this Upper Error Limit %
3.Expected population deviation rate
ACL calls this Expected Error Rate %
8-7
Evaluation of Results of Attribute (“Record” in
ACL) Sampling Terms: Text Table 8-8 vs. ACL
 Desired
Confidence Level
– ACL calls this Confidence
 Sample
Size
– ACL also calls this Sample Size
 Actual
Number of Deviations Found
– ACL calls this Number of Errors
 Computed
Upper Deviation Rate
– ACL calls it upper error limit frequency
LO# 2
Confidence Level
Confidence level is the
complement of sampling risk.
The auditor may set sampling risk for a
particular sampling application at 5%, which
results in a confidence level of 95%.
Thus, these 2 phrases are substantively the
same thing.
8-9
LO# 3
Sometimes we use Audit
Sampling and sometimes not…
Relationship between Evidence Types and Audit Sampling
Audit Sampling
Commonly Used
Type of Evidence
Yes
Inspection of tangible assets
Yes
Inspection of records or documents
Yes
Reperformance
Yes
Recalculation
Yes
Confirmation
No
Analytical procedures
No
Scanning
No
Inquiry
No
Observation
8-10
LO# 3
Audit Evidence – To Sample or
Not?
• Inspection of tangible assets. Auditors typically attend
the client’s year-end inventory count. When there are a
large number of items in inventory, the auditor will select a
sample to physically inspect and count.
• Inspection of records or documents. Certain controls
may require the matching of documents. The procedure
may take place many times a day. The auditor may gather
evidence on the effectiveness of the control by testing a
sample of the document packages.
8-11
LO# 3
Audit Evidence – To Sample or
Not?
 Reperformance. To comply with PCAOB standards,
publicly traded clients must document and test controls
over important assertions for significant accounts. The
auditor may reperform a sample of the tests performed by
the client.
 Confirmation. Rather than confirm all customer account
receivable balances, the auditor may select a sample of
customers.
8-12
LO# 3
Testing All Items with a Particular
Characteristic
When an account or class of transactions is made up
of a few large items, the auditor may examine all the
items in the account or class of transaction.
When a small number of large transactions make up
a relatively large percent of an account or class of
transactions, auditors will typically test all the
transactions greater than a particular dollar amount.
8-13
LO# 4
Types of Audit Sampling
Auditing standards recognize and permit both statistical
and nonstatistical methods of audit sampling.
Statistical sampling uses the laws of probability to 1)
compute sample size and 2) evaluate results. The auditor
is able to use the most efficient sample size and quantify
sampling risk.
In nonstatistical sampling, the auditor does not
use the laws of probability in one or both of these
tasks
8-14
LO# 4
Types of Audit Sampling
Advantages of statistical sampling:
1. Design an efficient sample.
2. Measure the sufficiency of
evidence obtained.
3. Quantify sampling risk.
Disadvantage of statistical sampling:
It has been found, as a practical
matter, in litigation, to be harder
for the CPA firm to defend itself, if
it used statistical sampling rather
than nonstatistical sampling.
8-15
LO# 4
Statistical Sampling Techniques
1.Attribute Sampling (used for IC
testing – Ch. 8).
2.Monetary-Unit Sampling (used to
decide if auditor can accept as
materially correct $$ in a Balance
Sheet or IS account – Ch. 9).
3.Classical Variables Sampling (ditto
MUS)
LO#
Attribute Sampling Applied to
Tests of Controls
5, 6, & 7
In conducting a statistical sample for a
test of controls, auditing standards
require the auditor to properly plan,
perform, and evaluate the sampling
application and to adequately document
each phase of the sampling application.
Plan
Perform
Evaluate
Document
8-17
LO#
5, 6, & 7
Planning
Planning
1. Determine the test objectives.
2. Define the population characteristics:
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
The objective of attribute sampling when used for
tests of controls is to evaluate the operating
effectiveness of the internal control.
8-18
LO#
5, 6, & 7
Planning
Planning
2. Define the population characteristics:
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
All of the items that constitute the class of
transactions make up the sampling population.
8-19
LO#
5, 6, & 7
Planning
Planning
2. Define the population characteristics:
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
Each sampling unit makes up one item in the
population. The sampling unit should be defined in
relation to the specific control being tested.
In the Calabro audit the sampling unit is the
sales or lease contract (p. 282)
8-20
LO#
5, 6, & 7
Planning
Planning
2. Define the population characteristics:
• Define the sampling population.
• Define the sampling unit.
• Define the control deviation conditions.
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
A deviation is a departure from adequate
performance of the internal control.
8-21
LO#
5, 6, & 7
Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
Confidence level is the desired level of
assurance that the sample results will support a
conclusion that the control is functioning
effectively. When the auditor has decided to rely
on controls, the confidence level is traditionally
set at 90% or 95%. This means the auditor is
willing to accept a 10% or 5% risk of accepting
the control as effective when it is not.
8-22
LO#
5, 6, & 7
Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
The tolerable deviation rate is the maximum deviation
rate from a prescribed control that the auditor is willing to
accept and still consider the control effective.
Example Suggested Tolerable Deviation Rates:
Assessed Improtance of a
Control
Highly important
Moderately important
Tolerable
Deviation
Rate
3–5%
6–10%
8-23
LO#
5, 6, & 7
Planning
Planning
3. Determine the sample size, using the following inputs:
• The desired confidence level or risk of incorrect acceptance.
• The tolerable deviation rate.
• The expected population deviation rate.
The expected population deviation rate is
the rate the auditor expects to exist in the
population. The larger the expected
population deviation rate, the larger the
sample size must be, all else equal.
EXAMPLE: Assume a
desired confidence level of
95%, and a large
population, the effect of the
expected population
deviation rate on sample
size is shown right:
Expected Population
Deviation Rate
Sample
Size
1.0%
93
1.5%
124
2.0%
181
3.0%
‡
‡ Sam ple size too large to be cost-effective.
8-24
LO#
Population Size: Attributes
Sampling
5, 6, & 7
Population size is not often important in determining
sample sizes for attributes sampling, so we skip
Advanced Module 1. Below is shown the impact of the
3 factors that matter.
Factor
Desired confidence level
Tolerable deviation rate
Expected population deviation rate
Relationship to
Sample Size
Direct
Inverse
Direct
Examples
Change in
Effect on
Factor
Sample Size
Lower
Decrease
Higher
Increase
Lower
Increase
Higher
Decrease
Lower
Decrease
Higher
Increase
8-25
LO#
5, 6, & 7
Performance
Performance and Evaluation
4. Select sample items:
• Random-Number Selection.
5. Perform the Audit Procedures:
• Voided documents.
• Unused or inapplicable documents.
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates.
7. Draw Final Conclusions.
This is the preferred method. Every item in
the population has the same probability of
being selected as every other item.
8-26
LO#
5, 6, & 7
Performance
Performance and Evaluation
5. Perform the Audit Procedures:
• Voided documents.
• Unused or inapplicable documents.
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates.
7. Draw Final Conclusions.
For example, assume a sales invoice should not be
prepared unless there is a related shipping document. If
the shipping document is present, there is evidence the
control is working properly. If the shipping document is not
present, a control deviation exists.
8-27
LO#
5, 6, & 7
Performance
Performance and Evaluation
5. Perform the Audit Procedures:
• Voided documents.
• Unused or inapplicable documents.
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates.
7. Draw Final Conclusions.
Unless the auditor finds something unusual about
either of these items, they should be replaced with a
new sample item.
8-28
LO#
5, 6, & 7
Performance
Performance and Evaluation
5. Perform the Audit Procedures:
• Voided documents.
• Unused or inapplicable documents.
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates.
7. Draw Final Conclusions.
If the auditor is unable to examine a document or to
use an alternative procedure to test the control, the
sample item is a deviation for purposes of evaluating
the sample results.
8-29
LO#
5, 6, & 7
Performance
Performance and Evaluation
5. Perform the Audit Procedures:
• Voided documents.
• Unused or inapplicable documents.
• Inability to examine a sample item.
• Stopping the test before completion.
6. Calculate the Sample Deviation and Upper Deviation Rates.
7. Draw Final Conclusions.
If a large number of deviations are detected
early in the tests of controls, the auditor should
consider stopping the test, as soon as it is clear
that the results of the test will not support the
planned assessed level of control risk.
8-30
LO#
5, 6, & 7
Evaluation
Evaluation
6. Calculate the Sample Deviation and Upper Deviation Rates.
7. Draw Final Conclusions.
The auditor summarizes the deviations and
evaluates the results. For example, if the auditor
discovered two deviations in a sample of 50, the
sample deviation rate is 4% (2 ÷ 50).
But what matters is the computed upper
deviation rate (CUDR), the sum of the sample
deviation rate plus an allowance for sampling
risk. You get this from ACL or text Table 8-8.
8-31
LO#
5, 6, & 7
Evaluation
Evaluation
6. Calculate the Sample Deviation and Upper Deviation Rates.
7. Draw Final Conclusions.
The auditor compares the tolerable deviation rate
(TDR) to the computed upper deviation rate
(CUDR).
If the CUDR > TDR the results indicate IC
is not as effective as planned and cannot
be relied upon to the extent planned.
If the CUDR <= TDR the results indicate IC
is as effective as planned and can be relied
upon.
8-32
LO#
5, 6, & 7
Attribute Sampling Example
The auditor has decided to test a control at Calabro
Wireless Services. The test is to determine that the sales
and service contracts are properly authorized for credit
approval. A deviation in this test is defined as the failure of
the credit department personnel to follow proper credit
approval procedures for new and existing customers. Here
is information relating to the test:
Desired confidence level
Tolerable deviation rate
Expected population deviation rate
Sample size
95%
6%
1%
78
8-33
LO#
5, 6, & 7
Attribute Sampling Example
Part of the table used to determine sample size when
the auditor specifies a 95% desired confidence level.
If there are 125,000 items in the population numbered
from 1 to 125,000, the auditor can use Excel to generate
random selections from the population for testing.
8-34
LO#
5, 6, & 7
Attribute Sampling Example
The auditor examines each selected contract for credit
approval and determines the following:
Number of deviations
Sample size
Sample deviation rate
Computed upper deviation rate
Tolerable deviation rate
2
78
2.6%
8.2%
6.0%
Let’s see how we get the computed
upper deviation rate.
8-35
LO#
5, 6, & 7
Attribute Sampling Example
Part of the table used to determine the computed upper
deviation rate at 95% desired confidence level:
Sample
Size
25
30
35
40
45
50
55
60
65
70
75
80
Actual Number of Deviations Found
0
1
2
3
11.3
17.6
9.5
14.9
19.6
8.3
12.9
17.0
7.3
11.4
15.0
18.3
6.5
10.2
13.4
16.4
5.9
9.2
12.1
14.8
5.4
8.4
11.1
13.5
4.9
7.7
10.2
12.5
4.6
7.1
9.4
11.5
4.2
6.6
8.8
10.8
4.0
6.2
8.2
10.1
3.7
5.8
7.7
9.5
8-36
LO#
5, 6, & 7
Attribute Sampling Example
Tolerable
Deviation
Rate (6%)
<
Computed
Upper Deviation
Rate (8.2%)
Auditor’s Decision:
Does not support reliance on the control.
8-37
End of Chapter 8
8-38